Not being able to access the router itself is likely to be firewall rules. Having the same VLAN ID on different bridges will not pass that traffic between bridges, are you looking to bridge or route traffic?
Printing the bridge and PPP profile entries provides no useful information, post the output of /export hide-sensitive after redacting public IPs (if any).
Thanks for your help!
Hmm... I'm not sure about that. The VLAN is connected to a bridge which has all the VLANs and the other bridge is just added to one of the VLANs as a port (to vlan_ovpn). I thought that in this sense that Bridge work the same as a physical port and setting it as an access port will work.
Also I think Bridging it will be enough, because that bridge_ovpn is only needed so I could add that bridge as the Bridge of the OVPN profile. I think adding the bridge_vlan will not work, because that bridge has vlan-filtering set.
Here is my full config, hope you can help and understand how I want to achieve this. Anyway if you have a better solution on how I could attach an ovpn server to a VLAN I would gladly use that as this.
I have tried it many ways so it now may seem to complicated, but any of the changes did not help. I was not able to access anything on LAN.
Config:
/export hide-sensitive
# may/16/2020 20:26:00 by RouterOS 6.46.6
# software id = CK9Q-MRSJ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460B1C119B
/interface bridge
add arp=proxy-arp name=bridge_ovpn
add name=bridge_vlan protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=Pi-hole
set [ find default-name=ether3 ] comment=NAS
set [ find default-name=ether4 ] comment="TP-Link Switch"
set [ find default-name=ether5 ] comment=openHABian
set [ find default-name=ether9 ] comment="Guest VLAN interface"
set [ find default-name=ether10 ] poe-out=off
/interface vlan
add interface=bridge_vlan name=vlan_guest vlan-id=20
add interface=bridge_vlan name=vlan_ovpn vlan-id=99
add interface=bridge_vlan name=vlan_private vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="ISP only" name=WAN
add comment="Contains all VLANs" name=VLAN
add name=BASE
add comment="Needed for inside PATs" name=BASE+WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="Guest Profile" eap-methods="" group-key-update=1h \
mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=\
dynamic-keys name=profile_private supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee comment="Private Wi-Fi 5GHz" \
country=no_country_set disabled=no frequency=5260 frequency-mode=superchannel mode=ap-bridge name=wlan_atlas \
security-profile=profile_private ssid=atlas wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:B9 master-interface=wlan_atlas \
multicast-buffering=disabled name=wlan_atlas_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n country=hungary disabled=no distance=indoors frequency=auto mode=\
ap-bridge name=wlan_fujijama security-profile=profile_private ssid=fujijama wireless-protocol=802.11 wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BA master-interface=wlan_fujijama \
multicast-buffering=disabled name=wlan_fujijama_guest ssid=atlas-Guest wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan_atlas comment="Private Wi-Fi 5GHz"
/interface wireless nstreme
set wlan_atlas comment="Private Wi-Fi 5GHz"
/ip kid-control
add name="Children control"
/ip pool
add name=dhcp_pool_private ranges=10.0.0.50-10.0.0.254
add name=dhcp_pool_guest ranges=10.0.3.3-10.0.3.254
add name=dhcp_pool_ovpn ranges=10.0.99.10-10.0.99.253
/ip dhcp-server
add address-pool=dhcp_pool_private disabled=no interface=vlan_private lease-time=1d name=dhcp_private
add address-pool=dhcp_pool_guest disabled=no interface=vlan_guest lease-time=1h name=dhcp_guest
/ppp profile
add bridge=bridge_ovpn dns-server=10.0.0.3 local-address=10.0.99.9 name=ppp_private remote-address=dhcp_pool_ovpn \
use-encryption=yes
/queue simple
add max-limit=2M/60M name="Limit Guest VLAN" target=vlan_guest
/interface bridge port
add bridge=bridge_vlan ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge_vlan interface=sfp-sfpplus1
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 \
pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 \
pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 \
pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 \
pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 \
pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 \
pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 \
pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
wlan_atlas pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
wlan_fujijama pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
wlan_fujijama_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
wlan_atlas_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 \
pvid=10
add bridge=bridge_ovpn interface=vlan_ovpn pvid=99
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan untagged=\
ether3,ether2,ether4,ether5,ether6,ether7,ether8,wlan_atlas,wlan_fujijama vlan-ids=10
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=ether9,wlan_fujijama_guest,wlan_atlas_guest vlan-ids=20
add bridge=bridge_vlan tagged=bridge_vlan untagged=ether10,bridge_ovpn vlan-ids=99
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=BASE wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ppp_private
/interface list member
add interface=ether1 list=WAN
add interface=vlan_ovpn list=VLAN
add interface=vlan_private list=VLAN
add interface=vlan_guest list=VLAN
add interface=vlan_ovpn list=BASE
add interface=vlan_private list=BASE
add interface=ether1 list=BASE+WAN
add interface=vlan_private list=BASE+WAN
add interface=vlan_ovpn list=BASE+WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes require-client-certificate=\
yes
/ip address
add address=10.0.99.2/24 interface=vlan_ovpn network=10.0.99.0
add address=10.0.0.2/24 interface=vlan_private network=10.0.0.0
add address=10.0.3.2/24 interface=vlan_guest network=10.0.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3 gateway=10.0.0.2
add address=10.0.3.0/24 dns-server=10.0.0.3 gateway=10.0.3.2
add address=10.0.99.0/24 dns-server=8.8.8.8 gateway=10.0.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN_HOME Full Access" in-interface-list=BASE
add action=drop chain=input comment=Drop connection-state=""
add action=accept chain=forward comment="Accept port forwards" connection-nat-state=dstnat connection-state=new
add action=fasttrack-connection chain=forward comment="Allow Fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs UDP" dst-address=10.0.0.3 dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=forward comment="Access Pi-hole DNS from VLANs TCP" dst-address=10.0.0.3 dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
out-interface-list=WAN
add action=drop chain=forward comment=Drop connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow internal access to servers using router's external IP addresses" \
dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS dst-port=18022 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
10.0.0.252 to-ports=22
add action=dst-nat chain=dstnat comment="Transmission Web Interface" dst-port=19091 in-interface-list=BASE+WAN \
protocol=tcp to-addresses=10.0.0.252 to-ports=9091
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 in-interface-list=BASE+WAN protocol=tcp \
to-addresses=10.0.0.252 to-ports=49850
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface-list=BASE+WAN protocol=tcp to-addresses=\
10.0.0.252 to-ports=443
add action=dst-nat chain=dstnat comment=Lighttpd dst-port=61081 in-interface-list=BASE+WAN protocol=tcp \
to-addresses=10.0.0.252 to-ports=8080
add action=dst-nat chain=dstnat comment="OH link" dst-port=61082 in-interface-list=BASE+WAN protocol=tcp \
to-addresses=10.0.0.252 to-ports=8081
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ssh
set always-allow-password-login=yes
/ip upnp
set enabled=yes
/ppp secret
add name=kristof profile=ppp_private service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=RB4011
/system leds
set 0 interface=vlan_private
add interface=wlan_fujijama leds="wlan_fujijama_signal1-led,wlan_fujijama_signal2-led,wlan_fujijama_signal3-led,wla\
n_fujijama_signal4-led,wlan_fujijama_signal5-led" type=wireless-signal-strength
add interface=wlan_fujijama leds=wlan_fujijama_tx-led type=interface-transmit
add interface=wlan_fujijama leds=wlan_fujijama_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org,2.hu.pool.ntp.org,3.hu.pool.ntp.org
/tool graphing interface
add allow-address=10.0.0.0/24
/tool graphing resource
add allow-address=10.0.0.0/24
add allow-address=10.0.99.0/24
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Thanks for your help!